2

I'm trying to build and deploy my docker image to a private registry using Google JIB maven plugin. However, it fails with issues accessing the private registry.

I have installed Docker Desktop v19.03.1 on my Windows 10 machine. Next I'm trying to using Google JIB Maven plugin to build my Spring Boot application and then push the image built on the private registry.

I have added the CERT to 'example.registry.com' to the Windows trusted CERTS. I was able to verify this using the docker command to login to private registry as below :-

docker login example.registry.com

This command returns success for authentication which means the CERT I added was accepted.

And Following the logon to the private registry, I'm able to PULL and PUSH images using docker command line to 'example.registry.com' successfully .

Below is my POM.xml file.

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <version>1.5.1</version>
    <configuration>
        <to>
           <image>example.registry.com/inventory-service-docker:1.0</image>
            <auth>
               <username>plaintextusernameforRegistry</username>
               <password>plaintestpasswordforRegistry</password>
           </auth>
        </to>
        <from>                           
             <image>openjdk:8</image>
        </from>
        <container>
           <ports>
              <port>8089</port>
           </ports>
        </container>
        <allowInsecureRegistries>true</allowInsecureRegistries> <!-- this is commented on the first run.-->
    </configuration>
</plugin>

When I run 'mvn compile jib:build' command from the console from the directory with pom.xml file, it does start the processing, however fails at a later stage with below error :-

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries': Failed to verify the server at https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e because only secure connections are allowed.

When I run the same command after setting the configuration parameter 'allowInsecureRegistries' as suggested from above error, I get a different error as below :-

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed: Failed to authenticate with registry example.registry.com/inventory-service-docker because: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Looks like some config that I'm missing when using JIB that does not connect to 'example.registry.com' securely.

Kaustubh Hande
  • 35
  • 1
  • 6
  • If you've successfully used `docker login` then you shouldn't need to specify an `` section with username and password. But Jib currently does not send credentials over HTTP by default, so you'll need to explicitly add `-DsendCredentialsOverHttp`. https://github.com/GoogleContainerTools/jib/tree/master/docs/faq.md#how-can-i-diagnose-problems-pulling-or-pushing-from-remote-registries – Brian de Alwis Sep 20 '19 at 15:47
  • Thanks for the response, CERT for my private registry was missing from JAVA CACERT file, adding it did the trick. JIB was then successfully able to validate my credentials on the private registry and then pushed the image to it. I used following sample to add the CERT. `keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt` – Kaustubh Hande Sep 23 '19 at 14:28

1 Answers1

0

(Before I start, please don't use Jib 1.5.x, as the those versions have a network performance issue.)

JVM doesn't make use of the Windows certificate stores. This doc says

One big problem of the JRE is that it completely ignores the Windows certificate stores. Instead of using the windows certificate store it uses its own implementation

One potential option for Windows I just found in another answer is to start Java with -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT. But I haven't verified myself if this works.

Another way is to add your certificates to the default Java certificate store (truststore) file (cacerts). It is often located under <JDK>/lib/sercurity/ or <JRE>/jre/lib/security/.

There are multiple ways to add certificates (e.g., using various GUI tools). For example,

  • on the command line
keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt

Lastly, for those who want to get some more ideas for troubleshooting this kind of Java cert issues, check out this comment.

Chanseok Oh
  • 3,920
  • 4
  • 23
  • 63